I'm having real issues in parsing JSON events. I have a distributed Splunk setup and I have tested uploading the logs manually through Splunk Web on the search head with the below sourcetype and everything works perfectly,
[cloudflare]
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
TIME_FORMAT=%s%9N
TIME_PREFIX=^
Data is coming in through a universal forwarder. On the UF, I have the below settings,
[cloudflare]
INDEXED_EXTRACTIONS=json
KV_MODE = none
AUTO_KV_JSON = false
and on the indexers I have:
[cloudflare]
TIMESTAMP_FIELDS=timestamp
TIME_FORMAT=%s%9N
TIME_PREFIX=^
When the data comes in, it takes the timestamp of when it was indexed, not the timestamp value. There are also two timestamp fields per event, one with the nanosecond timestamp value and the other with 'none' . The value or string none appears nowhere in my event. When I hover over the timestamp I get a message pop up saying:
This value may have been rounded because it exceeds the maximum allowed int value.
Which is the error I was initially seeing when manually uploading the data on the search head so I added TIME_FORMAT=%s%9N which did the trick there, but doesn't seem to work on the indexers. I have swapped and change around the sourcetypes on the UF and the indexer, but it doesn't seem to do any good, what am I doing wrong? Screenshots attached of what I am seeing.
... View more